The final paper will consider the risks and defenses for a business or agency. This is similar to the Company exercises, but this will be an individual project and not a group exercise.
First, select an entity, either a business, governmental agency, or NGO. It may be an entity with which you are familiar or not, it is up to you. All that is important is that the entity be larger than an individual and that it have information assets of some sort. You may not use Entergy or any company in the energy sector (including not only electricity but fossil fuels and other energy as well).
You will consider the cyber risks for this entity as if you were their security manager. Your memo should have the following sections:
1) Executive summary/Bottom Line Up Front
2) Introduction of your company
3) Consideration of the information assets and the consequences of their loss
4) Consideration of the threats, with consideration of means, motive, and capabilities. Consider how badly the adversary wants those assets, and how much time and money they would be willing to spend to affect them. One important consideration is whether those assets unique or are there other entities that have similar assets? If other entities have those assets then you may only have to provide enough security to make them prefer the other entity.
5) Suggested cyber security activities. Include not only protective measures but also detection and reaction measures as well. If you have not yet recognized how the FCC cyber planner can help you, it may be in your interest to look at it now.
This paper should be double spaced, no shorter than 10 pages and no longer than 15 pages (cover page, references, and any pictures or graphs can be additional to that).